According to the Wallarm Q1 2025 ThreatStats report, 70% of all application attacks target APIs. The industry can no longer treat API security as a sidenote; it’s time to treat it as the main event. NIST seems to be on board with this view, releasing the initial public draft of NIST SP 800-228, a set of recommendations for securing APIs. I recently sat down with AJ Debole, Field CISO at Oracle, for a practical, forward-looking discussion about why API security matters now more than ever – and how NIST SP 800-228 could be an all-important north star. The Context: APIs, Automation, and Attack Velocity APIs aren’t just an evolution of application architecture; they’re a fundamental shift in how services are built, consumed, and secured. Unlike web applications, APIs are designed for programmatic access. That means the same traits that make them essential for automation – statefulness, structure, machine readability – also make them attractive to attackers. AJ raised an important point in our discussion: APIs lower the technical barrier to entry for offensive security work. You don’t need to manipulate browser traffic or master proxy tooling to fuzz an API; a simple curl command or Python script can be enough. That ease of access makes APIs a high-value target for both automated scanners and more sophisticated actors. The increasing integration of APIs with AI systems (GenAI agents, in particular) only amplifies this risk. These agents interact with APIs autonomously,…Read More